Banks and security experts cannot agree if it is safe
for banks to use e-mail for communicating with their customers
because the medium has been hijacked by criminals who try and
fool online banking users into divulging their log-in
Last week, ZDNet Australia reported that an
e-mail sent by Citibank confused both customers and security
experts because neither group could distinguish the genuine
e-mail from a phishing attack.
Security experts criticised Citibank because its e-mail asked
recipients to update their online bank log-in details due to an
update of the company's security system. Experts claimed the bank
had contradicted its own security guidelines and confused its
In response to the story, antivirus firm Sophos on Thursday
highlighted the increasing number of phishing attacks but claimed
that even though there is "little room for error", banks could
safely continue using e-mail for contacting customers -- as long
as they take precautions.
Ron O'Brien, senior security analyst at Sophos,
published an article that said: "58 percent of business PC
users receive at least one phishing e-mail each day, while,
alarmingly, 22 percent receive more than five a day, according to
a recent Web poll conducted by Sophos."
"Those numbers, combined with today's more strategically
targeted attacks, leave little room for error. If financial
institutions have proper network security in place and are
consistent in their messaging, customers will not have to guess
whether they are dealing with a phishing attack," said
But this statement was slammed by Neil Campbell, the recently
appointed CEO of e-mail security specialist Network Box. Last
week, while still working for Dimension Data, he advised banks to
stop sending e-mails to customers in order to "reduce the
effectiveness of phishing".
On Wednesday, he told ZDNet Australia that Sophos'
response was unrealistic.
"The approach that Sophos recommends breaks one of the basic
tenets of security; keep it simple," Campbell said.
When planning information security controls you need to take
the computer-literacy of your users into account. You have to ask
yourself if it is reasonable to ask the average Internet banking
user to trust some e-mails that are apparently from their bank
but not others that are also apparently from their bank."
"If security was purely a theoretical exercise then I'd agree
with Sophos, but security is an exercise that is firmly grounded
in reality and the reality in this case is that you will confuse
your users and be unwittingly complicit in the proliferation and
success of phishing scams. As Mr O'Brien himself points out,
there is little room for error," said Campbell.
Richard Rundle, APAC manager at e-mail security firm GFi
Software, agreed that a messaging system that is only accessible
after the initial banking log-in process would make phishing less
"I bank with the National Australia Bank (NAB) -- the only way
to communicate with them is through their Internet banking,
because they have a messaging interface," said Rundle, who
explained that because of this policy, if he gets an e-mail
seemingly from the NAB he knows it must be a phishing attack and
can delete it.
Rundle said HSBC Hong Kong is an example of another bank that
is, along with Citibank, confusing its customers.
"I also bank with HSBC in Hong Kong and you never, ever, know
when you get an e-mail from them whether it is real or not," said
However, an HSBC Hong Kong spokesperson denied its e-mails were confusing and claimed the bank suffers "very
few" losses related to phishing. They said it is not difficult to
spot a legitimate e-mail because they never ask for personal
details or account information.
"In phishing attacks, people are asked to reveal account
information and personal details of a nature that no bank ever
would. Passwords and PINs is what [phishers] are after. No bank,
certainly not this one, will ever ask you to reveal those," the
spokesperson told ZDNet Australia in a telephone
Tim Sheedy, senior analyst at Forrester Research, said on
Wednesday that financial organisations should have set procedures
to ensure that potentially confusing e-mails are never sent
out. "Any organisation worth its weight -- such as a telco or a
bank -- is going to have processes in place to stop that from
happening," he said.